Re: nmap..... via web

[Fyodor <fyodor () dhp com>]

On Thu, 18 Feb 1999, ajax wrote:

> anyway, www.mobis.com/ajax/code/nmap/webmap.cgi is my seven minute
> rendering of what i think it should look like, complete with sanity
> checking of the user input variable,

You mean this sanity checking?

   # sanity check
   if ($query->param('ip_address') =~ /[~`\#\$\!\%\^\&\*()\|\[\]\{\}\:\;\?]/ ) 
   { print "<H1><tt>Sorry, Try again. </H1>";
     exit; 
   }

and then later you call:

$output = `$nmap $ipaddress 2>&1`;

This doesn't look very sufficent to me.  For example, the banned chars
don't include space or '-'.  So what is to stop someone from giving an IP
address of '-o/etc/passwd mymachine' and thus overwriting your password
file?  There are a lot of other command lines which could cause damage.
And what if they include a newline and a second command?  Remember our
favorite phf.cgi?  Anyone who writes one of these needs to be very very
careful to ONLY allow what is known to be safe -- don't try to ban the
stuff you know is unsafe (because you won't catch everything).

Note that I havent' actually tested that my 'exploits' work.  Those are
just some of the things that look like problems at first glance.

Cheers,
Fyodor


--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
In a free and open marketplace, it would be surprising to have such an
obviously flawed standard generate much enthusiasm outside of the criminal
community.  --Mitch Stone on Microsoft ActiveX